Skip to main content
SpringerLink
Log in

CAVAS: Neutralizing Application and Container Security Vulnerabilities in the Cloud Native Era

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2018)

Abstract

The security challenges of container technologies such as Docker and Kubernetes are key issues in software development and other industries. This has increased interest on application container counter-measures e.g. detection and mitigation of the high number of vulnerabilities affecting container images, in particular images retained at DockerHub. However, investigations on application-layer vulnerabilities in Microservice Architectures (MSA) such as Cloud Native Environments (CNE) is lacking. In this paper, we investigate both image and application layer vulnerabilities and apply vulnerability correlation to understand the dependence relationships between vulnerabilities found in these layers. The outcome of this analysis offers interesting insights applicable to risk management and security hardening of microservices e.g. deployment of vulnerability correlation-based security policies that are useful for vulnerability detection, risk prioritization and resource allocation. Our prototype implementation extends our previous security system: Cloud Aware Vulnerability Assessment System (CAVAS), which employs the Security Gateway concept for security policy enforcement. The Security Gateway leverages the client side discovery and registry cloud pattern for discovering microservices and the notion of dynamic document stores for exploring and testing RESTful microservices. Our experimental evaluation shows that the security gateway’s vulnerability detection rate out-performs that of traditional testing approaches with 31.4%. Also, we discover that about 26.2% of severity metrics for vulnerabilities detected by image security scanners is in-correct. Hence, correcting this information is a prerequisite step to vulnerability correlation. Our proposal can therefore be employed for efficient continuous security and risk assessments in CNE.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet.

  2. 2.

    https://github.com/OAI/OpenAPI-Specification.

  3. 3.

    https://openwhisk.apache.org/.

  4. 4.

    https://github.com/spring-petclinic/spring-petclinic-microservices.

  5. 5.

    https://www.cisecurity.org/controls/continuous-vulnerability-assessment-and-remediation/.

  6. 6.

    http://microservices.io/patterns/apigateway.html.

  7. 7.

    http://microservices.io/patterns/client-side-discovery.html.

  8. 8.

    https://www.ruby-lang.org/en/security/.

  9. 9.

    https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet.

  10. 10.

    http://microservices.io/patterns/.

  11. 11.

    http://microservices.io/.

  12. 12.

    https://nvd.nist.gov/vuln/detail/CVE-2017-8283.

  13. 13.

    https://hpi-vdb.de/vulndb.

  14. 14.

    https://github.com/spotify/docker-client.

  15. 15.

    https://docs.docker.com/registry/spec/api/.

  16. 16.

    https://github.com/anchore/anchore-engine.

  17. 17.

    https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.

  18. 18.

    https://github.com/docker/docker-bench-security.

  19. 19.

    https://www.cisecurity.org/benchmark/docker/.

  20. 20.

    https://nvd.nist.gov/products/cpe.

  21. 21.

    https://nvd.nist.gov/vuln.

  22. 22.

    https://github.com/kbastani/spring-cloud-microservice-example.

  23. 23.

    https://github.com/ewolff/microservice.

  24. 24.

    https://github.com/sqshq/PiggyMetrics.

  25. 25.

    https://cwe.mitre.org/data/definitions/200.html.

References

  1. Fitzgerald, B., Stol, K.-J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)

    Article  Google Scholar 

  2. Bird, J.: DevOpsSec Securing Software through Continuous Delivery. O’ Relliy Media Inc., Sebastopol (2016)

    Google Scholar 

  3. Rahman, A.A.U., Williams, L.: Software security in devops: synthesizing practitioners’ perceptions and practices. In: Proceedings of the International Workshop on Continuous Software Evolution and Delivery (2016)

    Google Scholar 

  4. Fielding, R.T., Taylor, R.N.: Architectural styles and the design of network-based software architectures, Ph.D. thesis (2000)

    Google Scholar 

  5. Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. In: Mazzara, M., Meyer, B. (eds.) Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67425-4_12

    Chapter  Google Scholar 

  6. Souppaya, M., Morello, J. Scarfone, K.: Application container security guide (2017). https://doi.org/10.6028/NIST.SP.800-190

  7. Torkura, K.A., Sukmana, M.I., Meinel, C.: Integrating continuous security assessments in microservices and cloud native applications. In: Proceedings of the 10th International Conference on Utility and Cloud Computing (2017)

    Google Scholar 

  8. Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on World Wide Web, pp. 396–407. ACM (2002)

    Google Scholar 

  9. Oppliger, R.: Security at the internet layer. Computer 31(9), 43–47 (1998)

    Article  Google Scholar 

  10. Chen, P.-Y., Kataria, G., Krishnan, R.: Correlated failures, diversification, and information security risk management. MIS Q. 35, 397–422 (2011)

    Article  Google Scholar 

  11. Gummaraju, J., Desikan, T., Turner, Y.: Over 30% of official images in docker hub contain high priority security vulnerabilities. Technical report, BanyanOps (2015)

    Google Scholar 

  12. Combe, T., Martin, A., Di Pietro, R.: Containers: vulnerability analysis. Technical report, Nokia Bell Labs

    Google Scholar 

  13. Bila, N., Dettori, P., Kanso, A., Watanabe, Y., Youssef, A.: Leveraging the serverless architecture for securing linux containers. In: 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW) (2017)

    Google Scholar 

  14. VMWare. Harbor. http://vmware.github.io/harbor/

  15. Tak, B., Isci, C., Duri, S., Bila, N., Nadgowda, S., Doran, J.: Understanding security implications of using containers in the cloud. In: USENIX Annual Technical Conference (USENIX ATC 2017) (2017)

    Google Scholar 

  16. Zhang, M., Marino, D., Efstathopoulos, P.: Harbormaster: policy enforcement for containers. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)

    Google Scholar 

  17. Antunes, N., Vieira, M.: Designing vulnerability testing tools for web services: approach, components, and tools. Int. J. Inf. Secur. 16, 1–23 (2016)

    Google Scholar 

  18. Esposito, C., Castiglione, A., Choo, K.-K.R.: Challenges in delivering software in the cloud as microservices. IEEE Cloud Comput. 3(5), 10–14 (2016)

    Article  Google Scholar 

  19. Thanh, T.Q., Covaci, S., Magedanz, T., Gouvas, P., Zafeiropoulos, A.: Embedding security and privacy into the development and operation of cloud applications and services. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks). IEEE (2016)

    Google Scholar 

  20. Savchenko, D.I., Radchenko, G.I., Taipale, O.: Microservices validation: mjolnirr platform case study. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (2015)

    Google Scholar 

  21. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_1

    Chapter  Google Scholar 

  22. Wichers, D.: Owasp top-10 2013. OWASP Foundation, February 2013

    Google Scholar 

  23. Alliance, C.S.: Domain 4: complaince and audit management (2011). https://cloudsecurityalliance.org/wp-content/uploads/2011/09/Domain-4.doc

  24. Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom) (2015)

    Google Scholar 

  25. Almorsy, M., Grundy, J., Ibrahim, A.S.: Adaptable, model-driven security engineering for SaaS cloud-based applications. Autom. Softw. Eng. 21(2), 187–224 (2014)

    Article  Google Scholar 

  26. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)

    Article  Google Scholar 

  27. Davis, S.: Using the open API specification to find first and second order vulnerabilities in restful APIS (2016). https://2016.appsec.eu/wp-content/uploads/2016/07/AppSecEU2016-Scott-Davis-Scanning-with-Swagger.pdf

  28. Homer, A., Sharp, J., Brader, L., Narumoto, M., Swanson, T.: Cloud Design Patterns. Microsoft Press (2014)

    Google Scholar 

  29. Roschke, S., Cheng, F., Schuppenies, R., Meinel, C.: Towards unifying vulnerability information for attack graph construction. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 218–233. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_18

    Chapter  MATH  Google Scholar 

  30. Wang, L., Ma, R., Gao, H.R., Wang, X.J., Hu, C.Z.: Analysis of vulnerability correlation based on data fitting. In: Xu, M., Qin, Z., Yan, F., Fu, S. (eds.) CTCIS 2017. CCIS, vol. 704, pp. 165–180. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-7080-8_13

    Chapter  Google Scholar 

  31. Torkura, K.A., Meinel, C.: Towards cloud-aware vulnerability assessments. In: 2015 11th International Conference on Signal-Image Technology & Internet-Based Systems (SITIS) (2015)

    Google Scholar 

  32. Torkura, K.A., Sukmana, M.I. Cheng, F., Meinel, C.: Leveraging cloud native design patterns for security-as-a-service applications. In: 2017 IEEE International Conference on Smart Cloud (SmartCloud) (2017)

    Google Scholar 

  33. Bau, J. Bursztein, E., Gupta, D. Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: IEEE Symposium on Security and Privacy (SP), pp. 332–345. IEEE (2010)

    Google Scholar 

  34. Wolff, E.: Microservices: Flexible Software Architecture. Addison-Wesley Professional, Boston (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hasso-Plattner-Institute for Digital Engineering, University of Potsdam, Potsdam, Germany

    Kennedy A. Torkura, Muhammad I. H. Sukmana, Feng Cheng & Christoph Meinel

Authors
  1. Kennedy A. Torkura
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Muhammad I. H. Sukmana
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Feng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kennedy A. Torkura .

Editor information

Editors and Affiliations

  1. Klaus Advanced Computing Building, Georgia Institute of Technology, Atlanta, GA, USA

    Raheem Beyah

  2. Singapore Management University, Singapore, Singapore

    Bing Chang

  3. School of Information Systems, Singapore Management University, Singapore, Singapore

    Yingjiu Li

  4. Pennsylvania State University, University Park, PA, USA

    Sencun Zhu

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C. (2018). CAVAS: Neutralizing Application and Container Security Vulnerabilities in the Cloud Native Era. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01701-9_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01700-2

  • Online ISBN: 978-3-030-01701-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation